Not Validating the session may Leads to Account Deletion.

Aneesha D (ohzo)
2 min readDec 31, 2022

Session termination is an important part of the session lifecycle. Reducing to a minimum the lifetime of the session tokens decreases the likelihood of a successful session hijacking attack. This can be seen as a control against preventing other attacks like Cross Site Scripting and Cross Site Request Forgery. Such attacks have been known to rely on a user having an authenticated session present. Not having a secure session termination only increases the attack surface for any of the attacks, for example, account deletion without a password or bypassing the same.

A secure session termination requires at least the following components:

  • After updating the Password or Email.
  • Session termination after a given amount of time without activity (session timeout).
  • Proper invalidation of server-side session state.

Lets talk about the ulnerability I found,

Consider a site “example.com” where users can signup and use the account, It also contains the dashboard where it has options like Update Email, Password, Delete Account etc.

I created an account using xyz@gmail.com and logged in with two different browsers. Later, I updated the email on one of the browsers and checked on the other browser to invalidate…

--

--

Aneesha D (ohzo)

I am a Software Developer and a Security Researcher with a Bachelor of Engineering in CS.